├── conf
    └── .gitkeep
├── .gitignore
├── nginx.server.tpl
├── nginx.http.tpl
├── updateBlocklist.sh
├── README.md
└── generateConf.sh


/conf/.gitkeep:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | nginx.http.conf
2 | conf/*
3 | 


--------------------------------------------------------------------------------
/nginx.server.tpl:
--------------------------------------------------------------------------------
1 | if ($fmt_rugov = "RUGOV" ) { return 499; }
2 | 
3 | 


--------------------------------------------------------------------------------
/nginx.http.tpl:
--------------------------------------------------------------------------------
1 | geo ${FMTD}fmt_rugov {
2 |     default        0;
3 |     include        ${FMT_DIR}/conf/rugov.map.conf;
4 | }
5 | 


--------------------------------------------------------------------------------
/updateBlocklist.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | IFS=$'\n\t'
 4 | 
 5 | FMTDIR=$(dirname "$(readlink -f "$0")")
 6 | curl --silent "https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists/blacklist.txt" | while read line; do echo "${line} RUGOV;"; done > "$FMTDIR/conf/rugov.map.conf"
 7 | 
 8 | if [ -z ${1+x} ]; then
 9 | 	exit
10 | fi
11 | 
12 | if [ "$1" == "--restart" ];then
13 | 	FMT_NGINX=$(type -t nginx || echo "")
14 | 	if [ "$FMT_NGINX" == "" ]; then
15 | 		echo "Nginx not found. Do the restart yourself! Run 'nginx -s reload'"
16 | 		exit
17 | 	fi
18 | 	nginx -t
19 | 	nginx -s reload
20 | fi
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Keep your webserver behind Nginx clean from RKN bots.
 2 | 
 3 | This project uses blacklists from https://github.com/C24Be/AS_Network_List/blob/main/blacklists/blacklist.txt
 4 | 
 5 | ## How to use
 6 | 
 7 | Clone this repo to your server and run ./generateConf.sh
 8 | 
 9 | Then you see something like this: 
10 | 
11 | ```
12 | Add this block into the main Nginx config (usually resides in /etc/nginx/nginx.conf):
13 | 
14 | 	include /home/<username>/nginx-rugov-block/conf/nginx.http.conf;
15 | 
16 | Usually, putting this into a separate conf file in /etc/nginx/conf.d/rugov.conf should be enough. Run to achieve this: 
17 | 
18 | 	echo 'include /home/<username>/nginx-rugov-block/conf/nginx.http.conf;' | sudo tee /etc/nginx/conf.d/rugov.conf
19 | 
20 | Add this directive to every server block you want to protect:
21 | 
22 | 	if ($fmt_rugov = "RUGOV" ) { return 499; }
23 | 
24 | Alernatively, you can include this directive into every server block using:
25 | 
26 | 	include /home/<username>/nginx-rugov-block/conf/nginx.server.conf;
27 | 
28 | Next steps are:
29 |  - reloag nginx (nginx -s reload)
30 |  - periodically update blacklists using '/home/<username>/nginx-rugov-block/updateBlocklist.sh --restart'
31 | 
32 | You can achieve cron auto update by symlinking the update script to cron.daily:
33 | 
34 | sudo ln -s /home/<username>/nginx-rugov-block/updateBlocklist.sh /etc/cron.daily/rugov_nginx_updater
35 | ```
36 | 
37 | Do all the steps carefully and you are done! 
38 | 
39 | P.S. Don't forget to update lists!
40 | 


--------------------------------------------------------------------------------
/generateConf.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | set -euo pipefail
 3 | IFS=$'\n\t'
 4 | 
 5 | export FMT_DIR=$(dirname $(readlink -f $0))
 6 | 
 7 | if [ ! -f "${FMT_DIR}/conf/rugov.map.conf" ]; then
 8 | 	echo "Updating blacklist map..."
 9 | 	${FMT_DIR}/updateBlocklist.sh
10 | fi
11 | 
12 | FMTD='$' envsubst < "${FMT_DIR}/nginx.http.tpl" > "${FMT_DIR}/conf/nginx.http.conf"
13 | cp -f "${FMT_DIR}/nginx.server.tpl" "${FMT_DIR}/conf/nginx.server.conf"
14 | 
15 | echo "Add this block into the main Nginx config (usually resides in /etc/nginx/nginx.conf):"
16 | echo
17 | echo "	include ${FMT_DIR}/conf/nginx.http.conf;"
18 | echo
19 | echo "Usually, putting this into a separate conf file in /etc/nginx/conf.d/rugov.conf should be enough. Run to achieve this: "
20 | echo
21 | echo "		echo 'include ${FMT_DIR}/conf/nginx.http.conf;' | sudo tee /etc/nginx/conf.d/rugov.conf"
22 | echo 
23 | echo "Add this directive to every server block you want to protect:"
24 | echo 
25 | echo '	if ($fmt_rugov = "RUGOV" ) { return 499; }'
26 | echo
27 | echo "Alternatively, you can include this directive into every server block using:"
28 | echo
29 | echo "	include ${FMT_DIR}/conf/nginx.server.conf;"
30 | echo 
31 | echo "The next steps are:"
32 | echo " - reload nginx (nginx -s reload)"
33 | echo " - periodically update blacklists using '${FMT_DIR}/updateBlocklist.sh --restart'"
34 | echo
35 | echo "You can achieve cron auto update by symlinking the update script to cron.daily:"
36 | echo
37 | echo "sudo ln -s ${FMT_DIR}/updateBlocklist.sh /etc/cron.daily/rugov_nginx_updater"
38 | 


--------------------------------------------------------------------------------